The Office suite is an essential set of tools for many businesses. With the growth of mobile devices in the workplace, it’s also essential to protect these applications everywhere.
What users expect from devices and apps is constantly changing. In turn, IT organizations must adapt to user requests for access to work applications and workflows. Administrators need to make sure teams are productive on both desktop and mobile devices, wherever they are, while trying to protect all that data.
To protect company information on mobile devices, IT teams often use management platforms such as mobile device management (MDM) or unified endpoint management (UEM). However, end users are often hesitant to relinquish control of their devices. Many are concerned about how much control a company has over their devices. To ensure employees have the freedom they want on their devices while protecting office apps and data, organizations can consider mobile application management (MAM) tools.
What is MAM?
MAM is a capability of an MDM or UEM product. However, there are stand-alone products that provide MAM functionality, but these are often not enough for full mobility management, so organizations tend to use more effective MDM and UEM tools.
IT uses MAM to protect apps and data on a device without having to enroll it in a device management platform. Microsoft Endpoint Manager provides MAM capability, as do other UEMs such as VMware Workspace One. However, to specifically apply protection policies to Office applications, Microsoft’s Intune tool is required. Organizations using Office 365 can subscribe to Intune, which is part of Microsoft Endpoint Manager, for an additional cost.
MAM uses app protection policies to configure apps for fully managed, unenrolled user devices. Organizations often use MAM for personal or BYOD devices, where users want to access corporate data without having to sign up for their company’s device management platform. Users can download apps directly from the Apple App Store or the Google Play Store and authenticate to the app with their company credentials. Apps will incorporate specific security settings into the app. MAM protection policies may include the following:
- block or allow data backup to iCloud (iOS only);
- block or allow the import of company data to other managed or unmanaged applications;
- restrict cut, copy, and paste between other apps;
- block or allow third-party keyboards;
- enforce application encryption;
- configure the PIN and credential requirements that users must meet to access managed applications;
- set device and app lock; Y
- set actions for conditions such as jailbroken devices, maximum PIN attempts, and offline grace periods.
Platforms like Intune support the following MAM scenarios, and other MDMs that also support MAM will be similar:
- Fully Enrolled, or Company Owned, Personally Enabled (COPE). IT manages both at the device level and at the application level.
- Not managed by MDM or BYOD. IT only manages the apps on a device.
- Managed by third-party MDM. IT can use Microsoft’s app protection policies while using a different MDM for full management and additional security settings at the device level.
Application protection policies require users to have an Azure Active Directory account and an appropriate Microsoft 365 license, which must include a Microsoft Enterprise Mobility and Security license. Also, app protection policies only work with Microsoft Office mobile apps or apps that have been integrated with the Intune SDK or wrapped with the Intune App Wrapping Tool. Microsoft maintains a list of apps that conform to these requirements and are available for public use.
How to configure app protection policies for Office apps
To configure app protection policies in Microsoft Intune, IT administrators can navigate to their Endpoint Management Web Console and select Apps > App protection policies > Create policy.
How to clear data from Office apps with Microsoft Intune
In addition to being able to restrict data access with MAM-based apps, administrators can also remotely wipe or selectively wipe app data. A remote wipe is useful if a device is ever lost or stolen, or if the end user decides to leave the company. Because mobile devices are smaller and easier to lose than other endpoints, the remote wipe option is especially important. If a device ends up in the hands of a malicious actor, administrators must wipe all corporate data from it, preventing unauthorized access to sensitive information.
There are three different methods for wiping devices: a full wipe, a retirement, or a selective wipe. A full wipe removes all data and apps from the device and restores it to a factory reset state. This is an ideal method when administrators no longer use a device, need to reset and reuse a device for another function, or want to ensure that data is not lost on a lost device. A retreat, on the other hand, is a better option for a BYOD environment. This type of wipe leaves the user’s personal data while targeting business data exclusively from select apps, removing the device from MDM management.
Both users and administrators can issue remote commands from MDM portals, such as the Intune Company Portal, to managed devices. This is ideal for self-service for users who want to take back control of their devices and experience.
To initiate a full wipe or withdraw within Intune, follow these steps:
- Sign in to Microsoft Endpoint Manager Portal.
- Select Devices.
- Select the device you want to wipe.
- At the top of the screen, select wipe either Backing out.
Administrators can also apply wipe and retire commands to multiple devices at once. This is often called a mass or group action. To apply a device mass action, select Devices > All Devices > Device Mass Actions.
A selective cleaning is another ideal method for BYOD. With this type of wipe, administrators can remove corporate MDM policies and apps from the device, leaving personal apps and data intact. To initiate a selective device or user wipe within Intune, follow these steps:
- Sign in to the Microsoft Endpoint Manager portal.
- Select Applications in the left column.
- Scroll down to the “Other” section and select Selective wipe of apps.
- Select the preferred wipe request (device-based or user-based).
- For device-based selective wipe, select clean requests and follow the prompts to select the user and data you want to delete. Then select Create delete request.
- For a user-based selective wipe, select User Level Deletion, which prompts you to select the user. Then select Create delete request.
Self-service requests for users
End users can also wipe, remove, and check the status and compliance of their own devices through the MDM portal apps. For an end user to self-delete or factory reset a device through Microsoft Intune, administrators can direct the user to follow this process:
- Open the Intune Company Portal for iOS or Android
- Select Devices at the bottom of the screen.
- Select the device you need to reset or remove.
- Select the ellipsis icon, which looks like this: ….
- Depending on the action you want to perform, select one of the following options:
- Remove device
- Check condition
- Factory Restart